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DETAILED ACTION 
Specification 

1 . The abstract of the disclosure is objected to because it contains the phrase, "invention" in 
line 2 and 4, which can be implied. Correction is required. See MPEP § 608.01(b). 

It should avoid using phrases which can be implied, such as, "The disclosure concerns," "The disclosure 
defined by this invention," "The disclosure describes," etc. 

2. The disclosure is objected to because of the following informalities: the current status of 
the related reference U.S. applications recited under "cross-reference to related applications and 
patents" in page 1, serial No. 09/198,051, 09/206,772, 10/039,992, 10/108,085, 10/236,149, 
10/453,345, 10/611,573 must be updated as "now issued as U.S. Patent (with corresponding 
patent number)" or "now abandoned". 

Appropriate correction is required. 

Claim Objections 

3. Claims 2,3,7-9, and 1 1-32 are objected to because of the following informalities: 
Claim 2 recites an acronym "MIME" in line 5. For clarity, it is suggested to fully 

describe an acronym when reciting for the first time in the claim. 

Claim 3 is also objected for the same reason as set forth above in claim 2. 

Claim 3 recites "the first flow specification" in line 10. Since it is recited for the first 
time in the claim, for clarity it is suggested to change "the first flow specification" to "a first 
flow specification" or "the flow specification". 
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Claim 7 recites, "a flow" in line 1 . For consistency and clarification with "a flow" 
recited in claim 1, line 2, it is suggested to change "a flow" in line 1, to "the flow". 

Claim 8 is also objected for the same reason as set forth above in claim 7. 

Claim 7 recites "the time" in line 2. Since it is recited for the first time in the claim, for 
clarity it is suggested to change "the time" to "a time". 

Claim 9 recites an acronym "FIN" in line 1. For clarity, it is suggested to fully describe 
an acronym when reciting for the first time in the claim. 

Claim 11 recites "a traffic identifier" in line 1. For consistency and clarification with "a 
traffic identifier" recited in claim 1, line 5, it is suggested to change "a traffic identifier" in 
line 1, to "the traffic identifier". 

Claim 13 recites, "a flow" in lines 3 and 7. For consistency and clarification with "a 
flow" recited in line 3, it is suggested to change "a flow" in line 3, to "the flow". 

Claim 14 recites, "a flow" in line 4. For consistency and clarification with "a flow" 
recited in claim 13, line 3, it is suggested to change "a flow" in line 4, to "the flow". 

Claim 14 recites, "a traffic type" in line 4. For consistency and clarification with "a 
traffic type" recited in claim 13, line 4, it is suggested to change "a traffic type" in line 4, to 
"the traffic type". 

Claims 15-17 are also objected for the same reason as set forth above in claim 14. 

Claim 14 recites, "at least one attribute of the flow" in line 4. For consistency and 
clarification with "at least one flow attribute" recited in claim 13, line 4, it is suggested to 
change "at least one attribute of the flow" in line 4, to "the at least one flow attribute". 
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Claim 20 recites, "a flow" in line 1 . For consistency and clarification with "a flow" 
recited in claim 13, line 3, it is suggested to change "a flow" in line 1, to "the flow". 

Claim 21 is also objected for the same reason as set forth above in claim 20. 

Claim 23 recites, "a data collector" in lines 12 and 13. For consistency and clarification, 
it is suggested to change "a data collector" in line 13, to "the data collector". 

Claim 24 recites, "a flow" in line 4. For consistency and clarification with "a flow" 
recited in claim 23, line 5, it is suggested to change "a flow" in line 4, to "the flow". 

Claim 24 recites, "a traffic type" in line 4. For consistency and clarification with "a 
traffic type" recited in claim 23, line 6, it is suggested to change "a traffic type" in line 4, to "the 
traffic type". 

Claims 25-27 are also objected for the same reason as set forth above in claim 24. 

Claim 24 recites, "at least one attribute of the flow" in line 4. For consistency and 
clarification with "at least one flow attribute" recited in claim 23, line 6, it is suggested to 
change "at least one attribute of the flow" in line 4, to "the at least one flow attribute". 

Claims 12,18,19,22,28-32 are also objected since they are depended upon objected 
impendent claims 13 and 23 as set forth above. 

Appropriate corrections are required. 

Claim Rejections - 35 USC § 102 
4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 
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(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1,5-7,10-13,18-20,23, and 28-30 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Kapoor (US007193968B1). 

Regarding Claim 1, Kapoor discloses a method enabling a flow-based data collection 
scheme (see FIG. 7, a method for performing traffic data flow collection in a system 100 (see 
FIG. 1)), comprising 

receiving a flow, the flow comprising at least one packet (see FIG. 4, Line card 430 
received traffic flows which comprises sequences of packets; col. 5, line 63 to col. 6, line 31, 56 
to col. 7, line 11); 

monitoring the flow in relation to at least one flow attribute (see FIG. 4, the combined 
system 420-430 monitors the each flow by monitoring the control information fields of each 
packet; see col. 6, line 3-31, 56-65; see col. 7, line 5-20); and 

associate a traffic type to the flow (see FIG. 4, a combined system of Route processor 420 
and line card 430 identifies/associate the differentiated traffic types/protocols to the traffic flow; 
see col. 6, line 62-65; see col. 7, line 1-10; 

upon termination of a flow (see FIG. 4, after/upon determining/detecting the last number 
of packet that is switched in a flow (i.e. upon termination of a flow); see col. 7, line 6-56), 
composing a flow data record (see FIG. 5 A-C, creating/forming/composing traffic information 
packet 500 that contains on or more flow records) comprising a traffic type identifier (see FIG. 
5A-B, comprises/contain header 510) corresponding to the traffic type associated with the flow 
(see FIG. 4, 5A-B, header 510 identifies/associates/corresponds the differentiated traffic 
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types/protocols to the traffic flow) and the at least one monitored flow attribute (see FIG. 4, 5 A- 
C, and the monitored control information fields (e.g. information indicates the number of 
packets)); see col. 7, line 5-15, line 45 to col. 8, line 55; and 

storing the flow data records in a database (see FIG. 4, memory 433; see col. 6, line 4-18; 
see col. 7, line 10-52; see col. 8, line 53-65; collecting/storing flow records in a table, where the 
flow record is lookup/searched/updated for network analysis). 

Regarding Claim 5, Kapoor discloses the at least one flow attribute is one of any of the 
following: a first packet time (see FIG. 5C, FIRST 538), a last packet time (see FIG. 5C, LAST 
539), the number of packets in the flow (see FIG. 5C, Number of packets 536), or the number of 
bytes in the flow (see FIG. 5C, number of layer 3 bytes 537); see col. 7, line 15-20; see col. 8, 
line 21-50. 

Regarding Claim 6, Kapoor discloses wherein the flow data record further includes one 
of any of the following: source address (see FIG. 5C, source IP address 531), destination address 
(see FIG. 5C, destination IP address 532), source port number (see FIG. 5C, source port 540), 
destination port number (see FIG. 5C, destination port 541), a first packet time (see FIG. 5C, 
FIRST 538), a last packet time (see FIG. 5C, LAST 539), the number of packets in the flow (see 
FIG. 5C, Number of packets 536), or the number of bytes in the flow (see FIG. 5C, number of 
layer 3 bytes 537); see col. 7, line 15-20; see col. 8, line 21-50. 

Regarding Claim 7, Kapoor discloses wherein termination of a flow is determined based 
on a threshold period of time (see col. 7, line 40-50; see col. 9, line 26-62; end of the sampling 
interval for a flow) and the time of the last packet in the flow (see FIG. 5C, LAST 539; the time 
of the last packet in the flow; see col. 7, line 10-11; see col. 8, line 32-40). 
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Regarding Claim 10, Kapoor discloses wherein at least one mapping exists between a 
traffic type identifier transmitted in flow data records and a traffic type name (see FIG. 4, 5B-C a 
flow sequence 526/flow processing ID engine 528 associates/maps to flow processing type 
527/protocol 544; or see FIG. 5C, first time stamps FIRST 538 and a last packet time stamp 
LAST 539; see col. 7, line 5-15, line 45 to col. 8, line 55); and 

wherein the method further comprises periodically storing the at lest one mapping in the 
database (see col. 7, line 45-56; see col. 8, line 56-65; traffic packet flow records are transmitted 
periodically to the managed router 450 for collection, and the managed router updates the table 
periodically in accordance with updated collected traffic information). 

Regarding Claim 11, Kapoor discloses wherein at least one mapping exists between a 
traffic type identifier transmitted in flow data records and a traffic type name (see FIG. 4, 5B-C a 
flow sequence 526/flow processing ID engine 528 associates/maps to flow processing type 
527/protocol 544; or see FIG. 5C, first time stamps FIRST 538 and a last packet time stamp 
LAST 539; see col. 7, line 5-15, line 45 to col. 8, line 55); and 

wherein the method further comprises periodically transmitting the at lest one mapping in 
the database (see col. 7, line 45-56; see col. 8, line 56-65; traffic packet flow records are 
transmitted periodically to the managed router 450 for collection). 

Regarding Claim 12, Kapoor discloses wherein the at least one mapping is transmitted 
in one or more mapping messages (see FIG. 5 A-C, sending traffic information packets 
comprising mapping/associating 510 and 515) and 
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wherein the mapping messages further include time stamps (see FIG. 5C, flow record 
format 515 contains first time stamps FIRST 538 and a last packet time stamp LAST 539; see 
col. 7, line 5-15, line 45 to col. 8, line 55). 

Regarding Claim 13, Kapoor discloses an apparatus enabling a flow-based data 
collection scheme (see FIG. 1, Node/Router/Switch 195(1)-(N); see FIG. 4, Node/Router/Switch 
400), comprising 

a packet processor (see FIG. 4, a combined system of Route processor 420 and line card 
430) operative to 

receive a flow, the flow comprising at least one packet (see FIG. 4, Line card 430 
received traffic flows which comprises sequences of packets; col. 5, line 63 to col. 6, line 31, 56 
to col. 7, line 11); 

associate a traffic type to the flow (see FIG. 4, the combined system 420-430 
identifies/associates the differentiated traffic types/protocols to the traffic flow; see col. 6, line 
62-65; see col. 7, line 1-10; 

monitor the flow in relation to at least one flow attribute (see FIG. 4, the combined 
system 420-430 monitors the each flow by monitoring the control information fields of each 
packet; see col. 6, line 3-31, 56-65; see col. 7, line 5-20); and 

a flow data record emitter (see FIG. 4, Router processor 420) operative to: 

upon termination of a flow (see FIG. 4, after/upon detecting/determining the last number 
of packet that is switched in a flow (i.e. upon termination of a flow); see col. 7, line 6-56), 
compose a flow data record (see FIG. 5A-C, creating/forming traffic information packet 500 that 
contains on or more flow records) comprising a traffic type identifier (see FIG. 5A-B, contains 
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header 510) corresponding to the traffic type associated with the flow (see FIG. 4, 5A-B header 
510 identifies/associates/corresponds the differentiated traffic types/protocols to the traffic flow) 
and the at least one monitored flow attribute (see FIG. 4, 5 A-C, and monitored control 
information fields (e.g. information indicates the number of packets)); see col. 7, line 5-15, line 
45 to col. 8, line 55; and 

transmit the flow data record (see FIG. 5 A, exporting/transmitting summary traffic 
information packet 500 with flow records 515) to a data collector (see FIG. 1, 4, to a 
Node/Router/Switch 400 (e.g. 195(2)) configured as network management for network data 
collection; see col. 7, line 10-67). 

Regarding Claim 18, Kapoor discloses the at least one flow attribute is one of any of the 
following: a first packet time (see FIG. 5C, FIRST 538), a last packet time (see FIG. 5C, LAST 
539), the number of packets in the flow (see FIG. 5C, Number of packets 536), or the number of 
bytes in the flow (see FIG. 5C, number of layer 3 bytes 537); see col. 7, line 15-20; see col. 8, 
line 21-50. 

Regarding Claim 19, Kapoor discloses wherein the flow data record further includes one 
of any of the following: source address (see FIG. 5C, source IP address 531), destination address 
(see FIG. 5C, destination IP address 532), source port number (see FIG. 5C, source port 540), 
destination port number (see FIG. 5C, destination port 541), a first packet time (see FIG. 5C, 
FIRST 538), a last packet time (see FIG. 5C, LAST 539), the number of packets in the flow (see 
FIG. 5C, Number of packets 536), or the number of bytes in the flow (see FIG. 5C, number of 
layer 3 bytes 537); see col. 7, line 15-20; see col. 8, line 21-50. 
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Regarding Claim 20, Kapoor discloses wherein termination of a flow is determined 
based on a threshold period of time (see col. 7, line 40-50; see col. 9, line 26-62; end of the 
sampling interval for a flow) and the time of the last packet in the flow (see FIG. 5C, LAST 539; 
the time of the last packet in the flow; see col. 7, line 10-11; see col. 8, line 32-40). 

Regarding Claim 23, Kapoor discloses a system enabling a flow-based data collection 
scheme (see FIG. 1, Network 100) comprising 

at least one network device (see FIG. 1, 4. Node/Router/Switch 195(1)-(N) (e.g. 195(5))) 
disposed in a communication path (see FIG. 1, path 191/192) between first and second networks 
(see FIG. 1, Node/Router/Switch N (e.g. 195(5)) is between a network consists of nodes 
195(1,4,7) and another network consists of nodes 105(3,6,9)); see col. 2, line 62 to col. 3, line 9; 
the first network device (see FIG. 1 , Node/Router/Switch 195(1)-(N); see FIG. 4, 
Node/Router/Switch 400) comprising 

a packet processor (see FIG. 4, a combined system of Route processor 420 and line card 
430) operative to 

receive a flow, the flow comprising at least one packet (see FIG. 4, Line card 430 
received traffic flows which comprises sequences of packets; col. 5, line 63 to col. 6, line 31, 56 
to col. 7, line 11); 

associate a traffic type to the flow (see FIG. 4, the combined system 420-430 
identifies/associate the differentiated traffic types/protocols to the traffic flow; see col. 6, line 62- 
65; see col. 7, line 1-10; 
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monitor the flow in relation to at least one flow attribute (see FIG. 4, the combined 
system 420-430 monitors the each flow by monitoring the control information fields of each 
packet; see col. 6, line 3-3 1, 56-65; see col. 7, line 5-20); and 

a flow data record emitter (see FIG. 4, Router processor 420) operative to: 

upon termination of a flow (after/upon detecting/determining the last number of packet 
that is switched in a flow (i.e. upon termination of a flow); see col. 7, line 6-56), compose a flow 
data record (see FIG. 5 A-C, creating/forming/composing traffic information packet 500 that 
contains on or more flow records) comprising a traffic type identifier (see FIG. 5A-B, contains 
header 510) corresponding to the traffic type associated with the flow (see FIG. 4, 5A-B header 
510 identifies/associates/corresponds the differentiated traffic types/protocols to the traffic flow) 
and the at least one monitored flow attribute (see FIG. 4, 5A-C, and monitored the control 
information fields (e.g. information indicates the number of packets)); see col. 7, line 5-15, line 
45 to col. 8, line 55; and 

transmit the flow data record (see FIG. 5 A, exporting/transmits summary traffic 
information packet 500 with flow records 515) to a data collector (see FIG. 1, 4, to a 
Node/Router/Switch 400 (e.g. 195(2)) configured as network management for network data 
collection; see col. 7, line 10-67); and 

a data collector (see FIG. 1, another Node/Router/Switch 400 (e.g. 195(2)) 
configured/enabling as network management for network data collection) operative to: 

receive flow data records from the first network device (see col. 7, line 35-57,63-67, see 
col. 8, line 53 to col. 9, line 3; another Node/Router/Switch 400 receives traffic information 
packet 500 with flow records 515) and 
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store the flow data records in a searchable database (see FIG. 4, memory 433; see col. 6, 
line 4-18; see col. 7, line 10-52; see col. 8, line 53-65; collecting/storing flow records in a table, 
where the flow record is lookup/searched/updated for network analysis). 

Regarding Claim 28, Kapoor discloses the at least one flow attribute is one of any of the 
following: a first packet time (see FIG. 5C, FIRST 538), a last packet time (see FIG. 5C, LAST 
539), the number of packets in the flow (see FIG. 5C, Number of packets 536), or the number of 
bytes in the flow (see FIG. 5C, number of layer 3 bytes 537); see col. 7, line 15-20; see col. 8, 
line 21-50. 

Regarding Claim 29, Kapoor discloses wherein the flow data record further includes one 
of any of the following: source address (see FIG. 5C, source IP address 531), destination address 
(see FIG. 5C, destination IP address 532), source port number (see FIG. 5C, source port 540), 
destination port number (see FIG. 5C, destination port 541), a first packet time (see FIG. 5C, 
FIRST 538), a last packet time (see FIG. 5C, LAST 539), the number of packets in the flow (see 
FIG. 5C, Number of packets 536), or the number of bytes in the flow (see FIG. 5C, number of 
layer 3 bytes 537); see col. 7, line 15-20; see col. 8, line 21-50. 

Regarding Claim 30, Kapoor discloses wherein termination of a flow is determined 
based on a threshold period of time (see col. 7, line 40-50; see col. 9, line 26-62; end of the 
sampling interval for a flow) and the time of the last packet in the flow (see FIG. 5C, LAST 539; 
the time of the last packet in the flow; see col. 7, line 10-11; see col. 8, line 32-40). 
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Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claim 2,14,15,24 and 25 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Kapoor in view of Cheriton (US007 1 2093 1 B 1 ). 

Regarding Claim 2, Kapoor discloses parsing at least one packet associated with the 
flow into a flow specification (see col. 6, line 62 to col. 7, line 13; tracking/determining/parsing 
the packet header of the flow according to flow plan/specification/arrangement (e.g. source 
addresses, destination address, protocol, type of service (TOS))), wherein said flow specification 
contains at least one instance of any one of the following: a protocol family designation (see 
FIG. 3, protocol 331), a protocol type designation (see FIG. 3, protocol 331), and a pair of hosts 
(see FIG. 3, source 340 and destination address 350); see col. 5, line 10-44; see col. 6, line 60-67; 

having found a matching traffic type (see FIG. 4, the combined system 420-430 identifies 

a specific traffic type/protocol), associating said flow specification with a traffic type from the 

i 

plurality of traffic types (see FIG. 4, the combined system 420-430 associates/relates flow 
plan/specification/arrangement to a specific traffic type/protocol from the a differentiated traffic 
types/protocols; see col. 6, line 62-65; see col. 7, line 1-10). 

Kapoor does not explicitly disclose matching the flow specification of the parsing step to 
a plurality of traffic types, each of the traffic types defined by one or more matching attributes. 
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However, Cheriton teaches parsing at least one packet associated with the flow into a 
flow specification (see FIG. 3, Classification device 80 examining/parses/filters a packet 
associated with a network flow 64 according to a flow plan/specification/arrangement; see col. 6, 
line 20-46; see FIG. 5, step 100, 102), wherein said flow specification contains at least one 
instance of any one of the following: a protocol family designation (see col. 5, line 60 to col. 6, 
line 26; protocol name), a protocol type designation (see col. 5, line 60 to col. 6, line 26; protocol 
type), a pair of hosts (see col. 5, line 60 to col. 6, line 26; source and destination addresses), and 
a pair of ports (see col. 5, line 60 to col. 6, line 26; source and destination ports); 

matching the flow specification of the parsing step to a plurality of traffic types (see 
FIG.5, SI 02, 104; classifying and lookup the examined/parsed flow 

plan/specification/arrangement to transmission protocols/types of packets by lookup device 82 
(see FIG. 3)), each of the traffic types defined by one or more matching attributes (see FIG. 3, 
the each transmission protocols/types is determined/defined according to lookup header 
attributes (e.g. address, port, etc.); see col. 5, line 55 to col. 6, line 49); and thereupon, 

having found a matching traffic type in the matching step (see FIG. 5, SI 04, 406, when 
lookup of protocol/type of packet is successful (i.e. having found matching)), associating said 
flow specification with a traffic type from the plurality of traffic types (see FIG. 5, SI 10, 
relating/associating/processing the flow plan/specification/arrangement with a specific flow 
type/protocol from the transmissions protocols/types); see col. 6, line 35 to col. 7, line 5). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide matching the flow specification of the parsing step to a 
plurality of traffic types, each of the traffic types defined by one or more matching attributes, as 
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taught by Cheriton in the system of Kapoor, so that it would generate filter based on analyzed 
flow data; see Cheriton col 2, line 15-55. 

Regarding Claim 14, Kapoor discloses a traffic database operative to store mappings 
between traffic type names and traffic type identifiers (see FIG. 4, 5B-C, Memory 433 of 
Node/Router/Switch N (e.g. 195(5)), which stores the tables that contains a flow sequence 
526/flow processing ID engine 528 associating/mapping to flow processing type 527/protocol 
544; or see FIG. 5C, first time stamps FIRST 538 and a last packet time stamp LAST 539; see 
col. 7, line 5-15, line 45 to col. 8, line 55) 

identify a flow into a traffic type based on at least one attribute of the flow (see FIG. 4, 
the combined system 420-430 identifies/associate the differentiated traffic types/protocols to the 
control information fields traffic flow (see FIG. 5A-C); see col. 6, line 62-65; see col. 7, line 1- 
10; and 

wherein the flow data record emitter (see FIG. 4, Router processor 420) is further 
operative to: 

transmit the mappings between the traffic type names and traffic type identifiers to the 
data collector (see FIG. 5A-C, sending traffic information packets comprising 
mapping/associating 510 and 515 to the management node 195, where flow record format 515 
contains first time stamps FIRST 538 and a last packet time stamp LAST 539; see col. 7, line 5- 
15, line 45 to col. 8, line 55). 

Kapoor does not explicitly disclose a classification and classify. 
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However, Cheriton teaches a traffic classification database operative to store mappings 
between traffic type names and traffic type identifiers (see FIG. 3, flow memory 86 stores the 
flow types/protocol name and flow types/protocol ID) and; 

classify a flow into a traffic type based on at least one attribute of the flow (see FIG. 3, a 
combined system of Classification 80 and network flow lookup 82 classified the flow into 
specific flow type according to header the packet of the flow; see col. 6, line 6-50). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide classification, as taught by Cheriton in the system of Kapoor, 
so that it would separate the data into different flows for analyzing; see Cheriton col. 2, line 55- 
63. 

Regarding Claim 15, Kapoor discloses parsing at least one packet associated with the 
flow into a flow specification (see col. 6, line 62 to col. 7, line 13; tracking/determining/parsing 
the packet header of the flow according to flow plan/specification/arrangement (e.g. source 
addresses, destination address, protocol, type of service (TOS))), wherein said flow specification 
contains at least one instance of any one of the following: a protocol family designation (see 
FIG. 3, protocol 331), a protocol type designation (see FIG. 3, protocol 331), and a pair of hosts 
(see FIG. 3, source 340 and destination address 350); see col. 5, line 10-44; see col. 6, line 60-67; 

having found a matching traffic type (see FIG. 4, the combined system identifies a 
specific traffic type/protocol), associating said flow specification with a traffic type from the 
plurality of traffic types (see FIG. 4, the combined system 420-430 associates/relates flow 
plan/specification/arrangement to a specific traffic type/protocol from the a differentiated traffic 
types/protocols; see col. 6, line 62-65; see col. 7, line 1-10). 
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Kapoor does not explicitly disclose matching the flow specification of the parsing step to 
a plurality of traffic types, each of the traffic types defined by one or more matching attributes. 

However, Cheriton teaches parsing at least one packet associated with the flow into a 
flow specification (see FIG. 3, Classification device 80 examining/parses/filters a packet 
associated with a network flow 64 according to a flow plan/specification/arrangement; see col. 6, 
line 20-46; see FIG. 5, step 100, 102), wherein said flow specification contains at least one 
instance of any one of the following: a protocol family designation (see col. 5, line 60 to col. 6, 
line 26; protocol name), a protocol type designation (see col. 5, line 60 to col. 6, line 26; protocol 
type), a pair of hosts (see col. 5, line 60 to col. 6, line 26; source and destination addresses), and 
a pair of ports (see col. 5, line 60 to col. 6, line 26; source and destination ports); 

matching the flow specification of the parsing step to a plurality of traffic types (see 
FIG. 5, SI 02, 104; classifying and lookup the examined/parsed flow 

plan/specification/arrangement to transmission protocols/types of packets by lookup device 82 
(see FIG. 3)), each of the traffic types defined by one or more matching attributes (see FIG. 3, 
the each transmission protocols/types is determined/defined according to lookup header 
attributes (e.g. address, port, etc.); see col. 5, line 55 to col. 6, line 49); and thereupon, 

having found a matching traffic type in the matching step (see FIG. 5, SI 04, 406, when 
lookup of protocol/type of packet is successful (i.e. having found matching)), associating said 
flow specification with a traffic type from the plurality of traffic types (see FIG. 5, SI 10, 
relating/associating/processing the flow plan/specification/arrangement with a specific flow 
type/protocol from the transmissions protocols/types); see col. 6, line 35 to col. 7, line 5). 
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Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide matching the flow specification of the parsing step to a 
plurality of traffic types, each of the traffic types defined by one or more matching attributes, as 
taught by Cheriton in the system of Kapoor, so that it would generate filter based on analyzed 
flow data; see Cheriton col. 2, line 15-55. 

Regarding Claim 24, Kapoor discloses a traffic database operative to store mappings 
between traffic type names and traffic type identifiers (see FIG. 4, 5B-C, Memory 433 of 
Node/Router/Switch N (e.g. 195(5)), which stores the tables that contains a flow sequence 
526/flow processing ID engine 528 associating/mapping to flow processing type 527/protocol 
544; or see FIG. 5C, first time stamps FIRST 538 and a last packet time stamp LAST 539; see 
col. 7, line 5-15, line 45 to col. 8, line 55) 

identify a flow into a traffic type based on at least one attribute of the flow (see FIG. 4, 
the combined system 420-430 identifies/associate the differentiated traffic types/protocols to the 
control information fields traffic flow (see FIG. 5A-C); see col. 6, line 62-65; see col. 7, line 1- 
10; and 

wherein the flow data record emitter (see FIG. 4, Router processor 420) is further 
operative to: 

transmit the mappings between the traffic type names and traffic type identifiers to the 
data collector (see FIG. 5A-C, sending traffic information packets comprising 
mapping/associating 510 and 515 to the management node 195, where flow record format 515 
contains first time stamps FIRST 538 and a last packet time stamp LAST 539; see col. 7, line 5- 
15, line 45 to col. 8, line 55). 
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Kapoor does not explicitly disclose a classification and classify. 

However, Cheriton teaches a traffic classification database operative to store mappings 
between traffic type names and traffic type identifiers (see FIG. 3, flow memory 86 stores the 
flow types/protocol name and flow types/protocol ID) and; 

classify a flow into a traffic type based on at least one attribute of the flow (see FIG. 3, a 
combined system of Classification 80 and network flow lookup 82 classified the flow into 
specific flow type according to header the packet of the flow; see col. 6, line 6-50). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide classification, as taught by Cheriton in the system of Kapoor, 
so that it would separate the data into different flows for analyzing; see Cheriton col. 2, line 55- 
63. 

Regarding Claim 25, Kapoor discloses parsing at least one packet associated with the 
flow into a flow specification (see col. 6, line 62 to col. 7, line 13; tracking/determining/parsing 
the packet header of the flow according to flow plan/specification/arrangement (e.g. source 
addresses, destination address, protocol, type of service (TOS))), wherein said flow specification 
contains at least one instance of any one of the following: a protocol family designation (see 
FIG. 3, protocol 331), a protocol type designation (see FIG. 3, protocol 331), and a pair of hosts 
(see FIG. 3, source 340 and destination address 350); see col. 5, line 10-44; see col. 6, line 60-67; 

having found a matching traffic type (see FIG. 4, the combined system identifies a 
specific traffic type/protocol), associating said flow specification with a traffic type from the 
plurality of traffic types (see FIG. 4, the combined system 420-430 associates/relates flow 
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plan/specification/arrangement to a specific traffic type/protocol from the a differentiated traffic 
types/protocols; see col. 6, line 62-65; see col. 7, line 1-10). 

Kapoor does not explicitly disclose matching the flow specification of the parsing step to 
a plurality of traffic types, each of the traffic types defined by one or more matching attributes. 

However, Cheriton teaches parsing at least one packet associated with the flow into a 
flow specification (see FIG. 3, Classification device 80 examining/parses/filters a packet 
associated with a network flow 64 according to a flow plan/specification/arrangement; see col. 6, 
line 20-46; see FIG. 5, step 100, 102), wherein said flow specification contains at least one 
instance of any one of the following: a protocol family designation (see col. 5, line 60 to col. 6, 
line 26; protocol name), a protocol type designation (see col. 5, line 60 to col. 6, line 26; protocol 
type), a pair of hosts (see col. 5, line 60 to col. 6, line 26; source and destination addresses), and 
a pair of ports (see col. 5, line 60 to col. 6, line 26; source and destination ports); 

matching the flow specification of the parsing step to a plurality of traffic types (see 
FIG.5, SI 02, 104; classifying and lookup the examined/parsed flow 

plan/specification/arrangement to transmission protocols/types of packets by lookup device 82 
(see FIG. 3)), each of the traffic types defined by one or more matching attributes (see FIG. 3, 
the each transmission protocols/types is determined/defined according to lookup header 
attributes (e.g. address, port, etc.); see col. 5, line 55 to col. 6, line 49); and thereupon, 

having found a matching traffic type in the matching step (see FIG. 5, SI 04, 406, when 
lookup of protocol/type of packet is successful (i.e. having found matching)), associating said 
flow specification with a traffic type from the plurality of traffic types (see, FIG. 5, SI 10, 
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relating/associating/processing the flow plan/specification/arrangement with a specific flow 
type/protocol from the transmissions protocols/types); see col. 6, line 35 to col. 7, line 5). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide matching the flow specification of the parsing step to a 
plurality of traffic types, each of the traffic types defined by one or more matching attributes, as 
taught by Cheriton in the system of Kapoor, so that it would generate filter based on analyzed 
flow data; see Cheriton col 2, line 15-55. 

8. Claim 8,9,21,22, 31 and 32 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Kapoor in view of Kirby (US007120931B1). 

Regarding Claim 8, Kapoor discloses termination of a flow as set forth above in claims 
1 above. 

Kapoor does not explicitly disclose a protocol message is a TCP FIN packet. 

However, it is well know in the art of TCP protocol standard that FIN (Finish) packet is 
sent to close the flow connection. In particular, Kirby teaches termination of a flow is determined 
on a protocol message, wherein the protocol message is a TCP FIN packet (see col. 1, line 35-42; 
see col. 3, line 60-65; see col. 4, line 6-12; FIN packet is send to terminate the flow connection). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide FIN packet, as taught by well established teaching in art and 
Kirby in the system of Kapoor, so that it would provide controlling passage of packets which 
conforms to a predefined communication protocol; see Kirby col. 2, line 50-65; see col. 3, line 
30-40. 
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Regarding Claim 9, the claim, which has substantially disclosed all the limitations of the 
respective claim 8. Therefore, it is subjected to the same rejection as set forth above in claim 8. 

Regarding Claim 21, Kapoor discloses termination of a flow as set forth above in claim 
13 above. 

Kapoor does not explicitly disclose a protocol message. 

However, it is well know in the art of TCP protocol standard that FIN (Finish) packet is 
sent to close the flow connection. In particular, Kirby teaches termination of a flow is determined 
on a protocol message, wherein the protocol message (see col. 1, line 35-42; see col. 3, line 60- 
65; see col. 4, line 6-12; TCP protocol FIN packet/message is send to terminate the flow 
connection). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide a protocol message, as taught by well established teaching in 
art and Kirby in the system of Kapoor, so that it would provide controlling passage of packets 
which conforms to a predefined communication protocol; see Kirby col. 2, line 50-65; see col. 3, 
line 30-40. 

Regarding Claim 22, Kapoor discloses termination of a flow as set forth above in claim 
13 above. 

Kapoor does not explicitly disclose a protocol message is a TCP FIN packet. 

However, it is well know in the art of TCP protocol standard that FIN (i.e. Finish) packet 
is sent to close the flow connection. In particular, Kirby teaches termination of a flow is 
determined on a protocol message, wherein the protocol message is a TCP FIN packet (see col. 
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1, line 35-42; see col. 3, line 60-65; see col. 4, line 6-12; a TCP protocol FIN packet is send to 
terminate the flow connection). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide FIN packet, as taught by well established teaching in art and 
Kirby in the system of Kapoor, so that it would provide controlling passage of packets which 
conforms to a predefined communication protocol; see Kirby col. 2, line 50-65; see col. 3, line 
30-40. 

Regarding Claim 31, Kapoor discloses termination of a flow as set forth above in claim 
23 above. 

Kapoor does not explicitly disclose a protocol message. 

However, it is well know in the art of TCP protocol standard that FIN (i.e. Finish) packet 
is sent to close the flow connection. In particular, Kirby teaches termination of a flow is 
determined on a protocol message (see col. 1, line 35-42; see col. 3, line 60-65; see col. 4, line 6- 
12; TCP protocol FIN packet/message is send to terminate the flow connection). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide FIN packet, as taught by well established teaching in art and 
Kirby in the system of Kapoor, so that it would provide controlling passage of packets which 
conforms to a predefined communication protocol; see Kirby col. 2, line 50-65; see col. 3, line 
30-40. 

Regarding Claim 32, Kapoor discloses termination of a flow as set forth above in claim 
23 above. 

Kapoor does not explicitly disclose a protocol message is a TCP FIN packet. 
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However, it is well know in the art of TCP protocol standard that FIN (Finish) packet is 
sent to close the flow connection. In particular, Kirby teaches termination of a flow is determined 
on a protocol message, wherein the protocol message is a TCP FIN packet (see col. 1, line 35-42; 
see col. 3, line 60-65; see col. 4, line 6-12; TCP protocol FIN packet is send to terminate the flow 
connection). 

Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to provide FIN packet, as taught by well established teaching in art and 
Kirby in the system of Kapoor, so that it would provide controlling passage of packets which 
conforms to a predefined communication protocol; see Kirby col. 2, line 50-65; see col. 3, line 
30-40. 

Allowable Subject Matter 
9. Claims 3,4,16,17,26 and 27 are objected to as set forth in paragraph 3, and as being 
dependent upon a rejected base claim, but would be allowable if rewritten in independent form 
including all of the limitations of the base claim and any intervening claims. 

The following is a statement of reasons for the indication of allowable subject matter: 
Claims 3,4,16,17,26 and 27 are allowable over the prior art of record since the cited 
reference taken individually or in combination fails to particularly disclose or render obvious the 
following italic limitations: 

In claims 3, 16 and 26 ... matching ...to a plurality of hierarchically-recognized traffic 
types represented by a plurality of nodes, each node having a traffic specification defining at 
least one matching attribute... associating the first flow specification with a traffic type of said 
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plurality of hierarchically-recognized traffic types. . . in combination with other limitations 
recited as specified in Claims 3, 16 and 26. 

In claims 4, 17 and 27 . .. matching ... to a plurality of recognized traffic types 
represented by a plurality entries in at least one traffic type identification table, each entry in the 
traffic type identification table including at least one matching attribute ...associating the first 
flow specification with a traffic type of said plurality of recognized traffic types in the at least 
one traffic identification table.... in combination with other limitations recited as specified in 
Claims 4,17 and 27. 

Conclusion 

10. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

• Phaal (US 6,894,972) discloses a network monitoring system and method for analyzing 
network traffic by collecting flows of packets. 

• Yam ad a (US006738352B1) discloses an apparatus and method that extract address and 
flow discrimination information and transfers the collected flow based on received flow 
information. 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ian N. Moore whose telephone number is 571-272-3085. The 
examiner can normally be reached on 9:00 AM- 6:00 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Doris To can be reached on 571-272-7629. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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